CASL survives constitutional challenge, FCA gives some insight

Yesterday the Federal Court of Appeal held that Canada’s Anti-Spam Legislation is intra vires Parliament and Charter-compliant. In doing so it opined on the scope of numerous CASL provisions, most-notably the so called “business-to-business  exclusion.”

CASL applies coast-to-coast-to-coast – passed under the federal trade and commerce power. It is known to be both strict and inelegantly drafted because it applies very broadly but carves out areas of activity piecemeal, though numerous exemptions and exclusions.

None of this caused the Court any problem. It rejected the appellant’s division of powers attack and its attack under sections 2(b), 11, 7 and 8 of the Charter. Ultimately the Court viewed CASL as addressing an important problem of national scope and focused enough to pass muster because its scope of application is tied to “commercial activity” (a concept with sufficient meaning) and because of its numerous exemptions and exclusions: “CASL thus establishes a complex legislative scheme that evinces a considerable degree of tailoring to meet its objectives.”

More practically, the Court affirmed a CRTC finding that e-mails sent by the appellant to market training courses employees of organizations did not fit within the Act’s business-to-business exclusion, which removes commercial electronic messages from all regulation if they are sent by an organization, “to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent.”

Regarding the relationship requirement, the Court agreed with the CRTC that it will not be satisfied by mere proof a prior transaction with an employee of the organization to whom a message is sent. The Court used the term “partner organization” to characterize an organization that would qualify for exclusion. It also said that the requirement for exclusion is more demanding than the requirement for being in the type of business relationship that would only trigger deemed implied consent – i.e., an existing business relationship. The Court explained:

Finding an existing business relationship in the present case would permit the appellant to send CEMs to a person—an individual—who had paid the appellant for a course within the preceding two years. Finding a relationship for the purposes of the business-to-business exemption, on the other hand, would allow the appellant to send CEMs to not only the individual who took the course, or the individual who paid for the course, but to every other employee of the organization to which those individuals belong—and organizations can be very large indeed. The latter finding would expose a great many more people to the potentially harmful conduct that it is CASL’s raison d’être to regulate. This suggests, contrary to the appellant’s argument, that the evidentiary requirements for establishing a relationship for the purposes of the business-to-business exemption should in fact be more demanding than for an existing business relationship.

Although this will limit access to the exclusion, the Court did find that phrase “concerns the activities” does not limit organizations to sending e-mails that concern only the core business operations of the recipient organization.

I’ve addressed only the Court’s most significant interpretive finding. Yesterday’s decision also addresses (a) the purpose of CASL, (b) the meaning of “commercial electronic message”, (c) the relevance of one’s job title to establishing deemed implied consent and (d) the prescribed requirements for an unsubscribe mechanism.

3510395 Canada Inc. v. Canada (Attorney General), 2020 FCA 103.

First CASL decision invites long-desired feeling of normality

Canada’s Anti-Spam Legislation is relatively new, onerous and far from elegant. Organizations have been weighing the risks the best they can – and in doing so have puzzled over how to account for CASL’s provision for penalties of up to $10 million.

On October 26th, the CRTC issued a decision in which it held that a company breached the consent requirement in CASL by sending approximately 385,000 unsolicited e-mails to government employees. As a result, it ordered an administrative monetary penalty of $50,000. Most significantly, the CRTC’s decision includes following comment about the significance of CASL’s significant maximum penalty:

The potential for higher penalties provides the Commission and the designated person with a means to recognize and address more egregious non-compliance when it arises, but this does not mean that larger penalties are inherently more appropriate in comparison to regimes with lower maximum penalties. As provided for in the Act, the objective and effect of an AMP must always be to promote compliance, and must not be to punish.

The CRTC considered the size of the company (“small”) and the short duration of the violation (two months) to support a lower penalty. Conversely, it considered the company’s failure to respond to a production order and its failure to change its practices immediately when contacted by investigators as aggravating factors.

The company violated the Act because it could not demonstrate the basis for which it claimed implicit consent to message individuals whose e-mail addresses were “conspicuously published.” In finding a violation, the CRTC said:

The requirement that it be relevant to the recipient’s role or functions creates the condition that the address be published in such a manner that it is reasonable to infer consent to receive the type of message sent, in the circumstances… Paragraph 10(9)(b) of the Act does not provide persons sending commercial electronic messages with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis.

Harvesting addresses from the internet for the purpose of business-to-business marketing is permitted but, as this case shows, organizations need a protocol to demonstrate a duly diligent effort to send individuals messages that are relevant to their work.

None of this should come as a surprise, but this welcome decision does invite a long-desire feeling of normality.

Compliance and Enforcement Decision CRTC 2016-428.

 

With CASL, a little due diligence goes a long way

Everyone’s talking about Porter Airlines’ recent agreement to pay a $150,000 penalty for various CASL violations. Porter is a sophisticated marketer yet slipped up, so other organizations are now wondering what whether they are similarly exposed. (Perhaps this was the CRTC’s enforcement aim.)

CASL is a regulatory instrument that includes a due diligence defence. In other words, organizations can violate the act without liability if they have taken all reasonable steps to avoid the violation.

Due diligence is about using good, systematic processes to avoid bad things. Here’s a simple process for due diligence that me and my colleagues have employed and continue to employ with our clients:

  • Define your operational units and prioritize them in accordance with risk
  • If you can’t do them all, select key units for review
  • Identify a key individual for each unit, someone with the best knowledge of messaging practices
  • Ask the key individual to complete (in writing) a list-centric survey – a survey that aims to gather some basic information about all formal and informal address lists (It’s easier to identify lists than activities.)
  • Review the survey response and applicable website or sites and follow-up in writing with questions that help close major gaps
  • Have a telephone call to confirm understanding and discuss potential compliance issues
  • Draft a compliance memo – a point-form document that identifies the steps taken in the compliance review, the activities of concern and the compliance advice
  • Conduct any follow-up information gathering in response to the memo
  • Send the memo the the key individual for feedback on completeness
  • Finalize the memo

This is a not a difficult or costly process for review and remediation, though you should also budget for (a) some project management costs for a multi-unit review and (b) some multi-unit training, which is normally an appropriate follow-up to the review and remediation process.

If the Porter agreement is causing you worries, following a process like this is well worth it.